(windows) crypt against local type remote nests drive letter

What is the problem you are having with rclone?

I'm not really having a problem exactly, I did notice an odd behavior though.
First up, the actual goal: I'm using a crypt mount to allow me to encrypt objects on a local path, but leaving them visible in their encrypted state so that Backblaze is able to backup them up in their encrypted form, so I have an extra level of protection and obfuscation for that path. I do have this working....

However, one thing I get from the mount, is the warnings about capabilities utilizing things in the mount because I haven't enabled VFS caching for that point. I was hoping to avoid VFS caching, but still have normal local filesystem abilities, since it's not actually a cloud file system where that caching might be needed. It seems resource wasteful to VFS cache a local file system to get local file system abilities...I'm not clear if I can really achieve that with rclone, or if I should just live with enabling VFS caching, or if I'm better of switching to something like cryptomator or gocryptfs for this use. So that's really what I'm looking for input on...

Second up, the odd broken(?) bit I noticed:
The thing I noticed while messing with this...I was originally pointing to D:\rcEnc when mounting the local path as encrypted. This works fine...later, trying to work around the VFS bit I mentioned, I tried creating a local type remote(localyClear in the config), and then tried switching the crypt remote path to utilize a path through the local type remote, like I would with a normal cloud remote. i.e. in the config for the crypt mount point "D:\rcEnc" I changed to "localyClear:/?/D:/rcEnc"

This causes the mount command to now fail with statsfs error, but you can see in the log it's actually because rclone seems to be seeing the Windows drive letter in the local type remote, and doubling it up before trying to mount it, which of course becomes an invalid path, i.e. it turns "localyClear://?/D:/rcEnc" "localyClear://?/D:/?/D:/rcEnc". It's trying re-canonical the canonical path I specified I suppose? From the docs on re: local filesystem, I don't think it should have done that.

I didn't report this as a bug- it looks like a parsing bug to me, but I'm not sure I should actually be trying to mount a local path to be encrypted this way anyway. My original hope had been by mounting the path through a "local" remote, rclone might be more aware that it's not actually something that needs VFS to have the local file system operations available to it.

I just realized that the local type is actually starting at D:, which is the useful location for me, so changing the crypt mount point to localyClear:/rcEnc works as I expected it to with the longer path with the D: embedded in it. However, I'm not clear how rclone decided to set the root level of the local filesystem remote there. It's not in the config, and it didn't ask me for it when I created the remote. What if I needed to mount from a different drive? Specifying with a drive letter probably will trigger the doubling up again that I mentioned earlier...

Run the command 'rclone version' and share the full output of the command.

rclone v1.64.2

  • os/version: Microsoft Windows 11 Pro 21H2 (64 bit)
  • os/kernel: 10.0.22000.1455 (x86_64)
  • os/type: windows
  • os/arch: amd64
  • go/version: go1.21.3
  • go/linking: static
  • go/tags: cmount

Which cloud storage system are you using? (eg Google Drive)

none/local file system

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone mount localY:/ Z:\mntLocal\y

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

type = onedrive
token = XXX
drive_id = XXX
drive_type = personal

type = drive
client_id = XXX
client_secret = XXX
scope = drive
root_folder_id = XXX
token = XXX

type = crypt
remote = localyClear:/?/D:/rcEnc
password = XXX

type = local

type = crypt
remote = gd:/secCharlie
filename_encryption = standard
directory_name_encryption = true
password = XXX
root_folder_id = XXX

type = crypt
remote = gd:/secO
filename_encryption = obfuscate
password = XXX

type = crypt
remote = gd:/secV
filename_encryption = standard
directory_name_encryption = true
password = XXX


2023/11/18 14:19:27 DEBUG : rclone: Version "v1.64.2" starting with parameters ["C:\rclone\rclone.exe" "mount" "localY:/" "Z:\mntLocal\y" "-vv"]
2023/11/18 14:19:27 DEBUG : Creating backend with remote "localY:/"
2023/11/18 14:19:27 DEBUG : Using config file from "C:\Users\Emby\.config\rclone\rclone.conf"
2023/11/18 14:19:27 DEBUG : Creating backend with remote "localyClear:/?/D:/rcEnc"
2023/11/18 14:19:27 DEBUG : fs cache: renaming cache item "localyClear:/?/D:/rcEnc" to be canonical "localyClear://?/D:/?/D:/rcEnc"
2023/11/18 14:19:27 DEBUG : fs cache: switching user supplied name "localyClear:/?/D:/rcEnc" for canonical name "localyClear://?/D:/?/D:/rcEnc"
2023/11/18 14:19:27 INFO : Encrypted drive 'localY:/': poll-interval is not supported by this remote
2023/11/18 14:19:27 DEBUG : Network mode mounting is disabled
2023/11/18 14:19:27 DEBUG : Mounting on "Z:\mntLocal\y" ("localY")
2023/11/18 14:19:27 DEBUG : Encrypted drive 'localY:/': Mounting with options: ["-o" "attr_timeout=1" "-o" "uid=-1" "-o" "gid=-1" "--FileSystemName=rclone" "-o" "volname=localY"]
2023/11/18 14:19:27 DEBUG : Encrypted drive 'localY:/': Init:
2023/11/18 14:19:27 DEBUG : Encrypted drive 'localY:/': >Init:
2023/11/18 14:19:27 DEBUG : /: Statfs:
2023/11/18 14:19:27 ERROR : Encrypted drive 'localY:/': Statfs failed: failed to read disk usage: The system cannot find the path specified.
2023/11/18 14:19:27 DEBUG : /: >Statfs: stat={Bsize:4096 Frsize:4096 Blocks:8796093022207 Bfree:8796093022207 Bavail:8796093022207 Files:1000000000 Ffree:1000000000 Favail:0 Fsid:0 Flag:0 Namemax:255}, errc=0
2023/11/18 14:19:27 DEBUG : /: Getattr: fh=0xFFFFFFFFFFFFFFFF

I am not questioning your observations but I think you are using wrong tool for the job.

rclone is not really local filesystem encryption tool. In such usage it has many shortcomings like extended attributes or sparse files handling.
IMO you would have much better experience using your OS specific tools which usually provide full disk or specific folder/container encryption out of the box. I am not Windows user so do not have specific recommendations here but there are also cross platform tools like VeraCrypt.

No problem, I asked for feedback. Extended attributes are handled at the file system level in this case, it's just the object the attributes are attached to is encrypted. The sparse file handling is an example of what I was saying where if I don't have VFS, that becomes an issue. VFS allows sparse files to be utilized with cloud stored objects to enable that. So I could do that, by enabling VFS, it's just not ideal/extraneous since I'm not actually backing it with cloud storage in this case.

IMO you would have much better experience using your OS specific tools which usually provide full disk or specific folder/container encryption out of the box. I am not Windows user so do not have specific recommendations here but there are also cross platform tools like VeraCrypt.

No, for the reason I mentioned, Veracrypt and the like are explicitly not going to work well for this use case. I've even gathered Bitlocker creates many problems for using cloud based backups. With virtual volumes via Veracrypt, I'd have to first, pre-define the encrypted file size(not ideal), and second, the volume file would be open the entire time so backing it up becomes problematic. Additionally, that likely means doing it as a single, monolithic, large file. This can be more challenging to have a successful upload with the all or nothing nature. I'd have to dismount, let the upload process start, and potentially wait for the backup to complete before re-mounting, making the volume unavailable during that time- inconvenient to say the least.

If I encrypt the entire volume, then the backup is either only able to perform backups from the volume while mounted, decrypting it on the fly, which defeats what I'm trying to do, or it doesn't back it up at all if the volume isn't mounted.

Doing the encryption at the per object(file) level addresses this problem, and allows something like Backblaze to backup the individual objects. Which is why I was exploring using a crypt mount to gain object level encryption.

In any event, I've been testing with Cryptomator and gocryptfs to achieve the same result without having the VFS bits involved, and they seem like they will work and likely be a better approach for this particular problem. I'll just have to live with adding another tool to the mix, not the worst thing ever, just not ideal.


1 Like

Using rclone's encryption can be convenient, I agree.

In your config, are you not missing an extra leading slash here:

type = crypt
remote = localyClear:/?/D:/rcEnc
password = XXX

I mean, it should be:

remote = localyClear://?/D:/rcEnc

Or, rather, simply remove the prefix entirely (or was there some reason you used the long path format?):

remote = localyClear:D:\rcEnc

Ah, yeah I am...interestingly, it's not causing the mount to fail.
Anyway, I've decided this isn't going to be optimal, I've switched over to using cryptomator to do what I want.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.